Re: Rotating Privacy Review Responsibilites from Pete Snyder on 2019-12-22 (public-privacy@w3.org from October to December 2019)

From: Pete Snyder <psnyder@brave.com>
Date: Sun, 22 Dec 2019 12:53:05 -0800
To: Maciej Stachowiak <mjs@apple.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, public-privacy <public-privacy@w3.org>
Message-Id: <E0CE54CB-B262-44CF-912F-BFB1CEE7FD0A@brave.com>
Okie dokie, I take Tess, David, Jeffery and Maciej’s point(s).  Lets see how far we can get with a volunteer / strongly-suggested approach.

What organizations would be willing to participate in this privacy-review rotation?

To start, Brave will.

Pete

> On Dec 22, 2019, at 2:22 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> 
> 
> 
>> On Dec 20, 2019, at 12:24 PM, Pete Snyder <psnyder@brave.com> wrote:
>> 
>> Thanks all for the feedback!
>> 
>> Up top, I mean this to be a straw-proposal, to get thought shared; im not trying to defend any particular aspect of it (at the moment at least).
>> 
>> Re: Tess and David
>> ---
>> I just wanted to highlight that the proposal was to require (or, strongly encourage) each organization to provide a person to do reviews, not for each person in PING to be obligated / expected to do reviews. I wasn’t clear from your remarks if that came across clearly.  If that wasn’t clear, does that change your opinion?
> 
> It would be highly unusual (perhaps unprecedented) for an Interest Group to mandate contribution of work product, even if it’s per-organization rather than per-individual. I don’t think it's a good idea. Specifically considering this particular proposal:
> 
> - Organizations should not be given an incentive to have fewer than two participants.
> - Organizations that want to monitor the discussions but which do not have a participant who is qualified to perform a privacy review of a web standard should not be forced to provide one anyway; it’s not obvious that a low-quality review would be better than a later review.
> 
> Encouragement seems better than a mandate with respect to these two factors.
> 
> (Even Working Groups do not require actual Work, except from volunteers.)
> 
> Regards,
> Maciej
> 
> 
>> Re: Jeffrey
>> ---
>> I appreciate your point about larger groups providing more folks.  At least as a first effort though, I’d like to try and see if we can get more voices / perspectives in the reviews, if possible.  (I don’t mean to say that everyone on team-Blink, for example, has the same view points, only that those points-of-view might be more similar than, say, the a Mozilla vs Google point of view).
>> 
>> But, if thats not feasible / there isn’t sufficient volunteers / orgs willing, I think your idea is terrific.  But, my vote is to treat it as plan-B for the moment :)
>> 
>> Pete
>> 
>>> On Dec 20, 2019, at 12:03 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
>>> 
>>> I'd suggest two changes:
>>> 
>>> 1) Assign reviews evenly across the individuals who have volunteered, rather than their organizations. This allows larger organizations like Google to contribute more reviews than smaller ones.
>>> 2) Per the Apple folks' comments, encourage medium-to-large organizations to contribute at least one volunteer, but don't require it.
>>> 
>>> The current list of volunteers could be stored in the same repo that holds the review issues. If we assign/claim reviews the same way the TAG does, by using Github's issue assignment system, the chairs will have to make sure everyone in the list is a member of the w3cping org.
>>> 
>>> Jeffrey
>>> 
>>> On Thu, Dec 19, 2019 at 1:56 PM Pete Snyder <psnyder@brave.com> wrote:
>>> Hello All,
>>> 
>>> As we discussed on the PING call today, there is much interest in having a standing rotation for doing privacy reviews.  We discussed a couple of options for how to organize this on the call, but I wanted to suggest the following, at least to get discussion going.
>>> 
>>> * Organizations with 2 or more members on PING are responsible for performing periodic privacy reviews
>>> * Reviews will be assigned as group requests and spec needs dictate
>>> * Reviews are expected to be completed w/in 2 weeks of being assigned
>>> * A general request for experts / interest in a particular spec will go out before "pulling from the pool”
>>> * The pool will be randomized, and no organization would will be assigned a review until every organization has performed a review (e.g. all relevant member orgs will have performed max 1 more review than any other member org)
>>> * Reviews will be discussed on a PING call before being formalized into action
>>> * Its appreciated but not required to share notes about the review before the relevant PING call
>>> * Pete and Nick will be as available as possible to assist with privacy reviews and filing issues
>>> 
>>> Under the above criteria, the following member organizations would be responsible for performing reviews (# individuals from that member org in parens).
>>> 
>>> * Apple, Inc. (6)
>>> * Brave Software Inc. (3)
>>> * CANTON CONSULTING (2)
>>> * Center for Democracy and Technology (2)
>>> * China Academy of Information and Communications Technology (CAICT) (3)
>>> * China Mobile Communications Corporation (2)
>>> * Duck Duck Go, Inc. (4)
>>> * Google, Inc. (10)
>>> * Institut National de Recherche en Informatique et en Automatique (INRIA) (2)
>>> * Microsoft Corporation (9)
>>> * Nokia Corporation (2)
>>> * OpenLink Software Inc. (2)
>>> 
>>> If the above looks good, I will take the action item to shuffle and make public the above list, so we can keep track of things and make sure work is fairly shared.
>>> 
>>> Open and eager for peoples’ thoughts on this!
>>> 
>>> Best,
>>> Pete
>> 
>> 
>
Received on Sunday, 22 December 2019 20:53:20 UTC